Analysis
-
max time kernel
127s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 22:48
Static task
static1
Behavioral task
behavioral1
Sample
f53fc8ee1359db4a8a7ec51d9fa82c5aa2b9e9c462c7d83151c853dda815c628.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f53fc8ee1359db4a8a7ec51d9fa82c5aa2b9e9c462c7d83151c853dda815c628.exe
Resource
win10v20201028
General
-
Target
f53fc8ee1359db4a8a7ec51d9fa82c5aa2b9e9c462c7d83151c853dda815c628.exe
-
Size
217KB
-
MD5
fac9407d8b782e2464bd1419182842bc
-
SHA1
9ea7a22e44d67093b99cb802cb3ff49ca3b43ac6
-
SHA256
f53fc8ee1359db4a8a7ec51d9fa82c5aa2b9e9c462c7d83151c853dda815c628
-
SHA512
bc7ff6d6cefa11bfe130bebae87e7876c63649859ee7a1ea7d5c4378b139ea7198e3d123b31274adf8ef7c6a0923a8fd7bc6e296a178ce9a012eaf75263a6ef1
Malware Config
Extracted
cobaltstrike
http://universalec.com.zclngty.club:443/owa/
-
access_type
512
-
beacon_type
2048
-
create_remote_thread
0
-
day
0
-
dns_idle
1.34744072e+08
-
dns_sleep
0
-
host
universalec.com.zclngty.club,/owa/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
GET
- injection_process
-
jitter
5120
-
maxdns
235
-
month
0
- pipe_name
-
polling_time
30000
-
port_number
443
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaFjt+ur8edBaOugmVauUhoZuRl/X1csJ4aa5HNiVVxH+nj+tljmiIaj9JYw+dX02sXg+KraYAGaR0XRIJC7Fac+g4z8+Gce7dZTFpyQgtgE/ktBZsYlweECSXVPa7mUrUvLv9bjnn4x5woeJ388rAWdOpz5PPuFV1o0cIA+/7xwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
1.610612736e+09
-
unknown4
0
-
unknown5
0
-
uri
/OWA/
-
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.